Distribution of traffic flows between multiple redundant servers is also known as load-balancing. In web services, load-balancing includes distributing and assigning incoming client connections across a cluster of web servers. There are known works that rely on Round-Robin Doman Name System (DNS) (RR-DNS) to distribute incoming client connections across a cluster of servers. Traditional load balancing can be employed on Internet Protocol (IP) level, which performs load-balancing based on flow tuple or according to the relative load on the different servers in the cluster. There are also load-balancers which are employed on Layer 4 and Layer 5 of the Open System Interconnection model (OSI model). For instance, a module provides a modular solution for scaling Layer 4 and Layer 5 data center server farm services, for example, by determining the type of request by inspecting the Uniform Resource Locator (URL) and then forwarding the request to the appropriate server. Other load-balancers exist for network proxy servers; they are based on the proxy-server's cache-content and their goal is to increase the cache hit ratio rather than get equal server loads. Advanced modern load balancers are usually application aware and are called application delivery controllers.
Security appliances traditionally were offered as monolithic physical devices. In modern scale out environments these appliances are often distributed to cope with scale and dynamicity of the traffic and thus require load balancing to spread the load between the different instances of the appliance. However, traditional load balancing solutions used for web and proxy servers are not well suited to learning security appliances. For example, network security appliances are inherently different from traditional web and proxy servers. The main goal of cache proxy servers' is to cache data, while providing high cache-hit rate. On the other hand, network security appliances generate statistics, maintain different phases (transition between learning phase about network traffic and non-learning phases), and generate different decisions based on their collected statistics and the current phase. The operation of anomaly detection based network security appliances generally may include two separate steps: the first step is called training phase wherein a normal traffic profile is generated; the second phase is called anomaly detection, wherein the learned profile is applied to the current traffic to look for any deviations.
For better load balancing, traditional load-balancers are provided with specific feedback from the servers behind the load balancer. For example, to ensure equal load distribution, servers provide load feedback to the load-balancer. Another example is increasing the cache hit-ratio of proxy-based load-balancers, wherein the cache hit-ratio of individual proxy servers is fed back to the load-balancer. The feedback information in these cases pertains to a single dimension/metric.